Add explicit "Rosetta Flash JSONP abuse" protection · expressjs/express@f684a64 (original) (raw)

`@@ -14,11 +14,8 @@ describe('res', function(){

`

14

14

``

15

15

`request(app)

`

16

16

`.get('/?callback=something')

`

17

``

`-

.end(function(err, res){

`

18

``

`-

res.headers.should.have.property('content-type', 'text/javascript; charset=utf-8');

`

19

``

`-

res.text.should.equal('typeof something === 'function' && something({"count":1});');

`

20

``

`-

done();

`

21

``

`-

})

`

``

17

`+

.expect('Content-Type', 'text/javascript; charset=utf-8')

`

``

18

`+

.expect(200, /something({"count":1});/, done);

`

22

19

`})

`

23

20

``

24

21

`it('should use first callback parameter with jsonp', function(done){

`

`@@ -29,12 +26,9 @@ describe('res', function(){

`

29

26

`});

`

30

27

``

31

28

`request(app)

`

32

``

`-

.get('/?callback=something&callback=somethingelse')

`

33

``

`-

.end(function(err, res){

`

34

``

`-

res.headers.should.have.property('content-type', 'text/javascript; charset=utf-8');

`

35

``

`-

res.text.should.equal('typeof something === 'function' && something({"count":1});');

`

36

``

`-

done();

`

37

``

`-

})

`

``

29

`+

.get('/?callback=something&callback=somethingelse')

`

``

30

`+

.expect('Content-Type', 'text/javascript; charset=utf-8')

`

``

31

`+

.expect(200, /something({"count":1});/, done);

`

38

32

`})

`

39

33

``

40

34

`it('should ignore object callback parameter with jsonp', function(done){

`

`@@ -61,11 +55,8 @@ describe('res', function(){

`

61

55

``

62

56

`request(app)

`

63

57

`.get('/?clb=something')

`

64

``

`-

.end(function(err, res){

`

65

``

`-

res.headers.should.have.property('content-type', 'text/javascript; charset=utf-8');

`

66

``

`-

res.text.should.equal('typeof something === 'function' && something({"count":1});');

`

67

``

`-

done();

`

68

``

`-

})

`

``

58

`+

.expect('Content-Type', 'text/javascript; charset=utf-8')

`

``

59

`+

.expect(200, /something({"count":1});/, done);

`

69

60

`})

`

70

61

``

71

62

`it('should allow []', function(done){

`

`@@ -77,11 +68,8 @@ describe('res', function(){

`

77

68

``

78

69

`request(app)

`

79

70

`.get('/?callback=callbacks[123]')

`

80

``

`-

.end(function(err, res){

`

81

``

`-

res.headers.should.have.property('content-type', 'text/javascript; charset=utf-8');

`

82

``

`-

res.text.should.equal('typeof callbacks[123] === 'function' && callbacks123;');

`

83

``

`-

done();

`

84

``

`-

})

`

``

71

`+

.expect('Content-Type', 'text/javascript; charset=utf-8')

`

``

72

`+

.expect(200, /callbacks[123]({"count":1});/, done);

`

85

73

`})

`

86

74

``

87

75

`it('should disallow arbitrary js', function(done){

`

`@@ -93,11 +81,8 @@ describe('res', function(){

`

93

81

``

94

82

`request(app)

`

95

83

`.get('/?callback=foo;bar()')

`

96

``

`-

.end(function(err, res){

`

97

``

`-

res.headers.should.have.property('content-type', 'text/javascript; charset=utf-8');

`

98

``

`-

res.text.should.equal('typeof foobar === 'function' && foobar({});');

`

99

``

`-

done();

`

100

``

`-

})

`

``

84

`+

.expect('Content-Type', 'text/javascript; charset=utf-8')

`

``

85

`+

.expect(200, /foobar({});/, done);

`

101

86

`})

`

102

87

``

103

88

`it('should escape utf whitespace', function(done){

`

`@@ -109,13 +94,24 @@ describe('res', function(){

`

109

94

``

110

95

`request(app)

`

111

96

`.get('/?callback=foo')

`

112

``

`-

.end(function(err, res){

`

113

``

`-

res.headers.should.have.property('content-type', 'text/javascript; charset=utf-8');

`

114

``

`-

res.text.should.equal('typeof foo === 'function' && foo({"str":"\u2028 \u2029 woot"});');

`

115

``

`-

done();

`

116

``

`-

});

`

``

97

`+

.expect('Content-Type', 'text/javascript; charset=utf-8')

`

``

98

`+

.expect(200, /foo({"str":"\u2028 \u2029 woot"});/, done);

`

117

99

`});

`

118

100

``

``

101

`+

it('should include security header and prologue', function (done) {

`

``

102

`+

var app = express();

`

``

103

+

``

104

`+

app.use(function(req, res){

`

``

105

`+

res.jsonp({ count: 1 });

`

``

106

`+

});

`

``

107

+

``

108

`+

request(app)

`

``

109

`+

.get('/?callback=something')

`

``

110

`+

.expect('Content-Type', 'text/javascript; charset=utf-8')

`

``

111

`+

.expect('X-Content-Type-Options', 'nosniff')

`

``

112

`+

.expect(200, /^/**//, done);

`

``

113

`+

})

`

``

114

+

119

115

`it('should not override previous Content-Types with no callback', function(done){

`

120

116

`var app = express();

`

121

117

``

`@@ -127,7 +123,11 @@ describe('res', function(){

`

127

123

`request(app)

`

128

124

`.get('/')

`

129

125

`.expect('Content-Type', 'application/vnd.example+json; charset=utf-8')

`

130

``

`-

.expect(200, '{"hello":"world"}', done);

`

``

126

`+

.expect(200, '{"hello":"world"}', function (err, res) {

`

``

127

`+

if (err) return done(err);

`

``

128

`+

res.headers.should.not.have.property('x-content-type-options');

`

``

129

`+

done();

`

``

130

`+

});

`

131

131

`})

`

132

132

``

133

133

`it('should override previous Content-Types with callback', function(done){

`

`@@ -141,6 +141,7 @@ describe('res', function(){

`

141

141

`request(app)

`

142

142

`.get('/?callback=cb')

`

143

143

`.expect('Content-Type', 'text/javascript; charset=utf-8')

`

``

144

`+

.expect('X-Content-Type-Options', 'nosniff')

`

144

145

`.expect(200, /cb({"hello":"world"});$/, done);

`

145

146

`})

`

146

147

``